All Products
Search

This Product

    Alibaba Cloud Service Mesh:Access a WebSocket service through an ASM ingress gateway

    Document Center

    Alibaba Cloud Service Mesh:Access a WebSocket service through an ASM ingress gateway

    Last Updated:Mar 11, 2026

    WebSocket is a communications protocol that provides full-duplex communication channels over a single TCP connection, operating at the application layer in the OSI model. WebSocket enables servers to push data to clients in real time. Services that comply with WebSocket are called WebSocket services. Service Mesh (ASM) supports WebSocket natively through the Envoy proxy's HTTP Upgrade mechanism -- no special protocol configuration is required at the gateway level.

    This topic walks you through deploying a sample WebSocket application, configuring ingress routing, and verifying real-time data synchronization across browser sessions. It also covers upgrading from ws:// to wss:// (WebSocket Secure) with TLS termination at the gateway.

    How it works

    A WebSocket connection starts as a standard HTTP request with an Upgrade: websocket header. The Envoy proxy in the ASM ingress gateway detects this header and upgrades the connection from HTTP to a persistent, bidirectional WebSocket channel. Because this upgrade happens within the HTTP protocol, the Gateway resource uses protocol: HTTP on port 80 -- no WebSocket-specific protocol setting is needed.

    Prerequisites

    Deploy a sample application

    1. Connect to the Container Service for Kubernetes (ACK) cluster using kubectl. For details, see Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.

    2. Create a file named tornado.yaml with the following content: This manifest defines a Kubernetes Service listening on port 8888 and a single-replica Deployment that runs the tornado WebSocket demo application. The port is named http, which tells Istio to apply Layer 7 routing -- including WebSocket upgrade support -- to traffic on this port.

         apiVersion: v1
   kind: Service
   metadata:
     name: tornado
     labels:
       app: tornado
       service: tornado
   spec:
     ports:
     - port: 8888
       name: http
     selector:
       app: tornado
   ---
   apiVersion: apps/v1
   kind: Deployment
   metadata:
     name: tornado
   spec:
     replicas: 1
     selector:
       matchLabels:
         app: tornado
         version: v1
     template:
       metadata:
         labels:
           app: tornado
           version: v1
       spec:
         containers:
         - name: tornado
           image: registry.cn-beijing.aliyuncs.com/aliacs-app-catalog/tornado:lastest
           imagePullPolicy: Always
           ports:
           - containerPort: 8888

    3. Apply the manifest:

         kubectl apply -f tornado.yaml

    Configure routing rules

    To route external traffic to the WebSocket application, create an Istio Gateway and a VirtualService.

    Create an Istio gateway

    1. Log on to the ASM console.

    2. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    3. On the Mesh Management page, find the target ASM instance and click its name, or click Manage in the Actions column.

    4. In the left-side navigation pane, choose ASM Gateways > Gateway. On the page that appears, click Create from YAML.

    5. Select default from the Namespace drop-down list, paste the following YAML, and click Create: Setting the port number to 80 allows the WebSocket service to receive inbound or outbound HTTP and TCP traffic over port 80. The wildcard host (*) accepts connections from any domain.

         apiVersion: networking.istio.io/v1alpha3
   kind: Gateway
   metadata:
     name: tornado-gateway
   spec:
     selector:
       istio: ingressgateway
     servers:
     - port:
         number: 80
         name: http
         protocol: HTTP
       hosts:
       - "*"

    Create a virtual service

    1. On the ASM instance details page, choose Traffic Management Center > VirtualService in the left-side navigation pane. Click Create from YAML.

    2. Select default from the Namespace drop-down list, paste the following YAML, and click Create: This routes all incoming requests through tornado-gateway to the tornado backend service.

         apiVersion: networking.istio.io/v1alpha3
   kind: VirtualService
   metadata:
     name: tornado
   spec:
     hosts:
     - "*"
     gateways:
     - tornado-gateway
     http:
     - match:
       - uri:
           prefix: /
       route:
       - destination:
           host: tornado
         weight: 100

    Get the ingress gateway IP address

    Retrieve the external IP address of the ingress gateway using either the ASM console or the ACK console.

    ASM console

    1. Log on to the ASM console. In the left-side navigation pane, choose Service Mesh > Mesh Management.

    2. Click the name of the ASM instance. In the left-side navigation pane, choose ASM Gateways > Ingress Gateway.

    3. On the Ingress Gateway page, find the value under Service address.

    ACK console

    1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

    2. On the Clusters page, click the name of the target cluster. In the left-side navigation pane, choose Network > Services.

    3. On the Services page, select istio-system from the Namespace drop-down list. In the External IP column, find the IP address for istio-ingressgateway on port 80.

    Verify WebSocket connectivity

    1. Open http://<ingress-gateway-IP> in four separate browser windows.

      WebSocket service in browsers

    2. Send data to the WebSocket service: Replace <ingress-gateway-IP> with the IP address obtained in the previous step. All four browser windows update simultaneously with the same data, confirming that the WebSocket service is pushing real-time updates through the ingress gateway.

         curl "http://<ingress-gateway-IP>/api?id=8&value=300"
   curl "http://<ingress-gateway-IP>/api?id=5&value=600"
   curl "http://<ingress-gateway-IP>/api?id=1&value=200"
   curl "http://<ingress-gateway-IP>/api?id=3&value=290"

    Upgrade to WebSocket Secure (wss)

    To encrypt WebSocket traffic with TLS, add an HTTPS listener to the gateway.

    Prepare TLS credentials

    1. Create a server certificate and private key for the ingress gateway. For detailed instructions, see Prepare server certificates and private keys for multiple servers.

    2. Create a Kubernetes secret containing the certificate and key in the istio-system namespace of the ACK cluster. Name the secret myexample-credential: Replace <your-private-key-file> and <your-certificate-file> with the paths to your key and certificate files.

         kubectl create -n istio-system secret tls myexample-credential \
     --key=<your-private-key-file> \
     --cert=<your-certificate-file>

    Update the gateway configuration

    Update the Gateway resource created earlier to add an HTTPS server block on port 443:

    apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: tornado-gateway
spec:
  selector:
    istio: ingressgateway
  servers:
  - port:
      number: 80
      name: http
      protocol: HTTP
    hosts:
    - "*"
  - hosts:
    - "*"
    port:
      name: https
      number: 443
      protocol: HTTPS
    tls:
      credentialName: myexample-credential
      mode: SIMPLE

    The tls.mode: SIMPLE setting enables one-way TLS, where the gateway terminates TLS and forwards decrypted traffic to the backend. The credentialName references the Kubernetes secret created in the previous step.

    Verify wss connectivity

    1. Add a DNS entry to your local hosts file that maps the domain in your certificate to the ingress gateway IP address. For example, if your certificate is issued for a.aliyun.com:

         <ingress-gateway-IP>  a.aliyun.com

    2. Open https://a.aliyun.com in four separate browser windows.

      WebSocket service in browsers

    3. Send data over the encrypted connection: The -k flag skips certificate verification, which is acceptable for testing. In production, use a valid certificate from a trusted Certificate Authority (CA). All four browser windows update simultaneously, confirming that WebSocket Secure (wss) connections work correctly through the ingress gateway.

         curl -k "https://<ingress-gateway-IP>/api?id=8&value=300"
   curl -k "https://<ingress-gateway-IP>/api?id=5&value=600"
   curl -k "https://<ingress-gateway-IP>/api?id=1&value=200"
   curl -k "https://<ingress-gateway-IP>/api?id=3&value=290"

    Production considerations

    • Connection timeouts: WebSocket connections are long-lived. If connections drop unexpectedly, check the idle timeout in your Gateway or DestinationRule configuration. For workloads that require longer sessions, increase the idleTimeout value.

    • Port naming convention: Istio uses the port name field to detect protocols. Naming the port http (as in the Service manifest above) enables Layer 7 features including WebSocket upgrade handling. If the name is omitted or non-standard, Istio treats the traffic as opaque TCP and Layer 7 routing is unavailable.

    • TLS in production: Replace the self-signed certificate with a certificate issued by a trusted CA. Remove the -k flag from curl commands and configure your DNS to resolve the domain to the ingress gateway IP.

    Related topics